Audit Approved of Facebook Policies, Even After Cambridge Analytica Leak

Nicholas Confessore reports via The New York Times: An auditing firm responsible for monitoring Facebook for federal regulators told them last year that the company had sufficient privacy protections in place, even after the social media giant lost control of a huge trove of user data that was improperly obtained by the political consulting firm Cambridge Analytica. The assertion, by PwC, came in a report submitted to the Federal Trade Commission in early 2017. The report, a redacted copy of which is available on the commission's website, is one of several periodic reviews of Facebook's compliance with a 2011 federal consent decree, which required Facebook to take wide-ranging steps to prevent the abuse of users' information and to inform them how it was being shared with other companies. The accounting firm, formerly known as PricewaterhouseCoopers, effectively gave Facebook a clean bill of health. "Facebook's privacy controls were operating with sufficient effectiveness to provide reasonable assurance to protect the privacy" of users, said the assessment, which stretched from February 2015 to February 2017. But during that period, Facebook was aware that a researcher based in Britain, Aleksandr Kogan, had provided Cambridge Analytica with private Facebook data from millions of users.

The system is broken

how do we regulate the regulators?

Re:The system is broken

Start by regulating yourself!

sufficient privacy protections: Everything you say can and will be used against you.

It's right there in black and white. How simple can it be?

Re:The system is broken

[ShanghaiBill]

The Cambridge Analytica leak was the result of technical incompetence, and poor code review, not bad policy at the level an auditor would see. It is not reasonable to expect a financial auditor to discover bad code.

Re:The system is broken

[mccalli]

You can't. I have no Facebook account, but it will have my data anyway from anyone who has ever put me in their contacts. I have no idea if I've been 'tagged' in photos and due to the closed nature I can't search to find out.

They do have a page to see what data they hold on you if you don't have an account, but to use it of course you need to....send them your data so they can check for matches. Catch 22.

Re:The system is broken

[arbiter1]

Just about any app can do what they are butt hurt at cambridge and guess what Clinton campaign used the same thing and so did Obama camp in 2012 that PIONEERED the practice to use it like it was.

Re:The system is broken

[Rockoon]

Funny that as a matter of public policy they approved of the Democrats doing it years earlier.

Re:The system is broken

[king+neckbeard]

Truth be told, CA was likely Facebook giving one customer everything they give all of their customers. The Clinton campaign probably hired at least 4 equivalents to CA themselves, and there's probably dozens, if not hundreds more, using that same kind of data for non-political purposes..

Re:The system is broken

[jellomizer]

The real problem is we are expecting some mythical set of pure perfection, anything less then then perfect will be punished.

You could be the best driver in the world, and still get into a car accident. Your automobile may fail even after a properly performed inspection.

Regulators and only look for issues they know about. With a rapidly growing company like Facebook there are new issues that appear and happen before regulators or Facebook even know where to look, and often risks are identified, but no practical solution may be available to mitigated it.

Most of the time we can only fix problems when we know they are problems. Don't blame people for the problem, blame them for repeating the problem. Because we can't live in a perfect world. If we were in a perfect world we wouldn't have millions of people trying to break into our systems or find ways to misuse the data in the first place. But it isn't. For all the brain power we put into stopping bad things, there is also a lot of brain power behind causing bad things. The advantage always goes to the bad person, because they don't need to consider the trade offs of applying such fixes.

Re:The system is broken

[Ol+Olsoc]

The Cambridge Analytica leak was the result of technical incompetence, and poor code review, not bad policy at the level an auditor would see. It is not reasonable to expect a financial auditor to discover bad code.

Nothing short of hilarious that while giving Cambridge Analytica and gawd knows who else people's personal data to be weaponized, they present a redacted copy of the audit to the public. Gotta protect privacy yaknow

Re:The system is broken

[Ol+Olsoc]

Just about any app can do what they are butt hurt at cambridge and guess what Clinton campaign used the same thing and so did Obama camp in 2012 that PIONEERED the practice to use it like it was.

Citations that The Clinton campaign and the Kenyan Terror baby used Cambridge Analytica needed.

Re: The system is broken

By replacing them with more honest people, just like anything else. The system is fine, it's the creeps in certain positions that stink. The expose is great, but we already have regulations - are we going to enforce them, or not? Big tech has been at this for years, and nothing any of them have proposed protects us from *them*. It's time to stop dancing around the consequences. Create privacy protection that is absolute, mandatorily state this in terms of service, and create stiff penalties for violations, including public disclosure. That would be a great start.

Re:The system is broken

The Cambridge Analytica leak was the result of technical incompetence, and poor code review, not bad policy at the level an auditor would see. It is not reasonable to expect a financial auditor to discover bad code.

BS, I don't for one minute buy this. Facebook has allowed third party apps to gather user data for years and years. Cambridge Analytica wasn't a "leak". It wasn't a "glitch" and it was in no way a "hack" of the systems. Facebook was being used by third parties exactly as intended and it was in no way just Cambridge Analytica doing this. Every third party app on Facebook does this.

Re:The system is broken

[oh_my_080980980]

THANK YOU! You want to stop this behavior then pass some god dam laws! Don't pretend this is a problem now when this has been Facebook SOP.

How the fuck do you think they make money by NOT charging for their product!!!

Re:The system is broken

Since Deepwater, and gulf of Mexico warlus plans, there is no actual punishment for worthless reports. Like North Dakota fracking contamination, insurance payouts do not follow.
Oh, and last financial crisis and housing loans. Lessons learned?

The solution is each and every report that is neded to tick boxes gets published. And there are reasonable rewards for the public who find fault in said reports. Crowdsourcing is necessary, because authorities are simply not reading past the first page if its produced by a big consulting mob.

 

Re: The system is broken

[bestweasel]

This is the first time I've seen that splendid sobriquet so I apologize for being picky but shouldn't "baby" in "Kenyan Terror baby" have a capital B because we are referring not to a random baby suffering from Kenyan Terror but a specific, indeed The, Kenyan Terror Baby? Is there more than one?

Re: The system is broken

[Ol+Olsoc]

This is the first time I've seen that splendid sobriquet so I apologize for being picky but shouldn't "baby" in "Kenyan Terror baby" have a capital B because we are referring not to a random baby suffering from Kenyan Terror but a specific, indeed The, Kenyan Terror Baby? Is there more than one?

Good point and agreed. It shall now be The Kenyan Terror Baby.

Re:The system is broken

Yep. I tried to get the hidden data they have on me last week, and got a canned response, which told me to log in (or, if I didn't have an account, I could just fill out their form, which I did in the first place!).

I resent the form again, with a few expletives added for good measure, and got the same canned response again.

Fuck Zuck, and the horse he rode in on.

Re:The system is broken

[Hognoxious]

Fuck Zuck, and the horse he rode in on.

In that order? it's just that I'd have trouble telling them apart.

Re:The system is broken

[fustakrakich]

Yeah, a law giving us the power of subpoena to our own data and how/where/when it was acquired sounds fair to me. Hey, we're just *filing for discovery*.

Re: The system is broken

[Reverend+Green]

Incoherent rant is incoherent.

Re: The system is broken

[Reverend+Green]

Us deplorable commoners just can't handle the truth.

Re: The system is broken

Missed point is missed

Full scale trade war commences

I am happy to report to you that the trade war with China is on the full swing

1. ZTE will file bankruptcy in a few weeks

https://www.forbes.com/sites/jeanbaptiste/2018/04/17/how-the-u-s-export-ban-effectively-bankrupts-chinas-telecom-giant-zte/2/#7da1fe0b4089

2. Trump will declare a national emergency to ban all China's investment in USA

https://www.bloomberg.com/news/articles/2018-04-19/u-s-weighs-emergency-powers-to-curb-tech-investments-by-china

Re: Full scale trade war commences

Where can I buy up Karl Marx's greatgrandson's chip fab for pennies on the dollar?

Well

Fuck Zuck.

Re:Well

No, fuck Price Waterhouse Coopers.

theres a deal a cookin

Maybe a kike had some sort of kike connection for tax purposes?

They do their job

[hcs_$reboot]

Problems: 1) auditors are paid by the auditees, 2) they do their job, what they were asked for, and not more. Why do you think these audit / consultancy firms are that expensive? An audit, done to reveal the kind of recent leaks, would only truly work if done by a public institution.

Re:They do their job

Yep, posting anonymously for obvious reasons, but I work for a financial services firm, and we had an issue that meant people unfairly getting rejected for mortgages because the analytics team had completely fucked up some scoring calculations. This was reported to the regulator as we had a legal obligation to do so, and we had to get auditors in to confirm the validity of our fix and processes, and to prevent this happening again.

The auditor was also PwC, and I had to work closely with them to help provide them the information they need.

Make no mistake, when people pay a company like PwC to "audit" them and "hold them to account", they're not paying for that at all. What they're paying for is for a company with a big legal department backing it's auditors to come in and help them evade any legal ramifications stemming from their mistake. The auditors don't for example remotely report back to anyone independent any failings, so there's no holding to account off the back of these audits. All they do is linger around, charging by the day to help try and spot any mistakes you've made and help you cover them up, when you've done that they sign the audit off as having passed.

So let's be clear here, you could be guilty of gross incompetence, abject illegality, and you can call in a company like PwC, you can ask them to help you make everything legal for as long as it takes, then at the end of it they sign off as "audit passed". That is, they're not auditing the company that made the mistake, they're auditing the company that they spent weeks, or even months plastering over the mistake.

You could argue this is sufficient in itself, because at least the company being audited has made up for it's mistakes, but again, we're talking about what is sometimes absolute illegality here in some cases, with some companies, and if companies are allowed to cover that up with no transparency over how bad things were and what went wrong, and no legal punishment for something that by law, should have legal punishment such as a fine, or even penalties against execs, then there's absolutely zero incentive for companies to ever improve, so once the auditors have gone, odds are, they'll just slip back into their ways if it's financially beneficial to do so. In our case for example, it was "good job everyone in passing the audit", when in reality it should've been "analysts, you need to improve your processes and start ensuring your calculations are accompanied with mathematical proofs where appropriate and sufficient test cases as to allow automated validation and regression testing".

What PwC offers isn't an audit per-se, it's a cover up service, no one should be surprised when a paid cover up service declares everything a-ok.

Honestly, given that PwC is also the prime culprit for "tax efficiency" which too many times has turned out to actually be outright tax evasion, rather than just avoidance too, then this company should be shut down. It's entire existence is built around supporting corporate criminality. It's not the only one, but it's definitely the most prominent one.

Re:They do their job

It's not an auditors job to air your dirty laundry (the levels of NDAs they're under would prohibit it anyway). They are there to make sure you use soap. Granted they likely would try to argue you showed them a box that looked like soap, it's their job - their bond - to prove that it was. They will become liable if it comes out later that you in fact did not use soap.

Re:They do their job

[monkeyxpress]

It's the same with consultants (though perhaps less legally questionable). e.g. CEO wants to outsource to somewhere, but doesn't want responsibility for the decision. Calls in management consultants. After paying them lots of money they write a report recommending outsourcing to somewhere. If outsourcing program works out, CEO claims responsibility. If it crashes and burns CEO blames the consultants.

I think of them as professional fall guys.

Re: They do their job

[orlanz]

Nothing of what you said is considered external auditing. That's closer to "IT consultation" or at best internal auditing.

Internal Auditiors report directly to the CFO. External Auditors report to the auditing firm's partners and clients shareholders.

Re:They do their job

Problems: 1) auditors are paid by the auditees, 2) they do their job, what they were asked for, and not more. Why do you think these audit / consultancy firms are that expensive? An audit, done to reveal the kind of recent leaks, would only truly work if done by a public institution.

That's totes adorbs.

Do you really believe an Obama administration "public institution" would have done anything to protect your privacy from the Obama campaign doing exactly what Cambridge Analytics is accused of doing?

Re: They do their job

I think you're perhaps a bit naive on the subject, if the GP is talking about financial analytics then that's not an IT issue, so not IT consultation. It's also got nothing to do with the CFO - the CFO has no responsibility for analytics teams doing financial analytical work. The CFO's focus is the finances of the businesses, and if there's no financial impact from the issue because it can be dealt with without a fine or re-allocation of finances then they'll have literally no interest in this.

Most likely it'll be the COO, CEO, Analytics Director and people like that.

Re:They do their job

[sweet+'n+sour]

When people hear the word "audit" what most think of is "tax audit." I.E. someone is coming in to verify that you have documentation to back up the claims made when the taxes were filed. Don't have the documentation? You're in BIG TROUBLE with the law: Jail time + fines.

The type of audit Facebook had is not this. These types of audits do something else:

They make sure that controls are in place -- that the company being audited has working internal methods (internal audits) to catch things -- things like what happened with Cambridge. They verify that the internal audit teams are doing things correctly. It is against the law for this audit team to give them "tips" and to help "cover up" anything -- a different firm must be hired to help with recommendations on how to fix broken controls if they exist. All the audit team can say is "Controls good" or "controls deficient".

One thing these audits definitely don't do is unhide stuff the company wants to keep hidden. If the company doesn't disclose something to the audit team, it won't be seen by the audit team. The audit team is never given privileged access to all the data. For instance if Google is audited, no one is ever going to see the secret juju search engine code.

These audits aren't completely useless however! If Facebook has controls in place to catch these things and the audit team signed off on them, it /highly/ suggests that the company was WELL AWARE of the security breach and let it happen anyway.

Re: They do their job

[orlanz]

The GGP isn't talking about the Analytics team or that department. He is talking about the auditors who would be an independent department.

Internal auditors will report to the VP of Risk Management, Chief Audit Executive or similar. All such positions usually report to the CFO (in the US). The audit aspect of the CFO's job reports to the Board of Directors, Audit Committee , and/or SEC (via fiduciary duty). Basically they don't [usually] go to the CEO or any of their reports like the COO (it would be a conflict of interest). External Auditors report to the BoD/AC. CEOs/CFOs/COOs can't hire and fire external auditors. I was an auditor in a past life; internal, external, consulting (accounting, accounting systems, & tax), security, and part of it exactly what the GGP is posting on. And I been on both sides of the fence in this matter. We do not tell the "regulators" that Company A is "OK" or "holding them to account" for some unknown or self-established standard.

In the above case, the usual scenario is that the Company is responsible for telling the regulators what their policies are, what they do, where they messed up, and how they fixed their screw up. It is the regulators responsibility to make sure the Company is reporting and that these are acceptable. It is the auditor's responsibility to form & state an OPINION that within reason, the Company's policies are aligned with the regulations, and that they do what the policies say (note: not what the regulations say). This is the CORE of ALL audit work, irrelevant of the field. Even when you go to Quality Assurance of manufactured parts, this is the fundamental aspect of the work (ie: policies = defined tolerances, policies followed = sample measured within tolerances, six sigma, etc).

A secondary OPINION is what an auditor provides. And that final opinion dismisses immaterial findings/violations. This is where most IT, bean counters, InfoSec, techs, policy owners, etc (engineers not so much) guys get hung up. Especially programmers. They will scream that a failure is a failure, but from the auditor/regulator/BoD view point, if it is not material, then it doesn't do a lot of damage, then it is not serious. In the GGP example, assume that the "fuck up" actually impacted 3% of the submissions. It doesn't matter if it in theory can impact 100% of the submissions. But if actual is only 3%, this is not considered material. It would be a foot note, fixed, and people move on.

Re:They do their job

This. My org paid $50k for a database "audit" that didn't include an analysis given to them by the internal DBAs that noted a) a default password was given out for all new accounts and b) x out of y accounts still had the default password. Everyone knows the default because they all had it when they got their account. The org didn't expire the default password. No mention in the "audit".

Re: They do their job

You literally just invented your own corporate structure, decided that's how every other company ever operates, then used that to try and declare that everything you did as an auditor was legitimate and made sense.

Contrary to your claims, telling regulators a company is ok as an outcome of an audit, or holding them to account to the law is exactly what many regulators across the globe require as part of the remediation plan for incidents that cause consumer detriment due to intentional or unintentional law breaking, which is precisely how PwC has managed to build an entire industry around doing exactly that in such a way that complies with the letter of the regulators demands whilst allowing said company to carry on business as usual which inevitably means the "mistake" gets repeated, especially if it's profitable to do so.

This is probably one of the weakest attempts I've ever seen at someone trying to absolve themselves for being part of the problem in a past life.

Final conclusion: 0/10, you failed your audit. Must try harder.

Re: They do their job

[orlanz]

Internal Audit: "Internal auditing departments are led by a Chief Audit Executive ("CAE") who generally reports to the Audit Committee of the Board of Directors, with administrative reporting to the Chief Executive Officer (In the United States this reporting relationship is required by law for publicly traded companies)."

Audit Committee: "The chief audit executive (CAE), director of audit, director of internal audit, auditor general, or controller general is a high level independent corporate executive with overall responsibility for internal audit."

Some companies aren't big enough to have a full fledged Audit Committee and rely on the CFO. Granted for audits that are mostly legal in nature, reporting goes to the General Counsel (legal department) who does report to the CEO but also has far more Law Profession linked duties to look out for the Stakeholders rather than the CEO/company.

...telling regulators a company is ok ... holding them to account to the law ... regulators ... require as part of the remediation plan ..., precisely how PwC ...build an entire industry ... complies with the letter of the regulators demands ...

Um ok... not sure where you are going... Violations to the law are reviewed, sentence passed, and books closed. That is a separate matter. The "remediation plan" to prevent further violations is usually proposed by the one who broke it; the regulators accept, modify, or reject the plan. Firms like PwC do usually provide consultation in creating that plan and regulators normally accept it. However, if PwC creates the plan, they aren't allowed to provide attestation (audit) of it; another firm needs to. But these firms do NOT "holding them to account to the law", they only do an attestation; provide an opinion on the matter; listing any material deviations. It is up to the regulatory body to review the opinion piece and determine if any deviations merit actions.

You may feel that PwC may "bend the truth" so that their client avoids penalties, but they do so at the cost of their brand. Too much and it hurts the PwC brand. If it falls too low, no agency nor shareholder will believe them, which case their opinions are worthless. And no client will hire them (ie: Arthur Andersen).

You should actually try to understand WHAT an audit is. Maybe actually read some Financial/Annual/Security/Legal/Operational Statements. Many people have far too high expectations for audits. They aren't what many think.

Re:They do their job

Auditors in most areas of regulation are paid to both determine what does and does not pass a sniff test, and help an org clear things up if possible to meet the sniff test. Any org that doesn't want to fix things up to pass the sniff test is not going to fare well on reports. There's also a saying in security, if an auditor doesn't find a problem they're not doing their job. There's *always* room to argue failure, because the regulations themselves are not specific enough to define testable criteria, they only paint a broad stroke in order to give more general guidance that might be useful across a variety of use cases.

That's the only way it's going to work. You seem to think that auditors should be able to come in and shut down a company on a whim. That kind of system would never work - people would never choose to get audited. Not worth the risk. If you let government do that (and in some cases we do especially where it's health-related), then you are allowing the government to pick the winners and the losers, because the implementations that any org are going to have will be situations that are unique to their operation, and will need to be judged by the wide brush strokes that everyone else gets as well, and it's generally up to the auditors if people will have a job the following day. That's also pretty broken.

Re:They do their job

[hcs_$reboot]

One of the most interesting and insightful testimony on /..

Auditors always remember who pays them

Having participated in many 'audits' from SAS 99 to ISO 27001, I can tell you that the auditors primary job is to give a clean report to their customers, the ones being audited. Auditors mostly go with what their customers are willing to tell them and the 'challenge' questions are really weak and easy to pass.

At a former company that dealt in information security, engineers often copied customer data to their unencrypted laptop so that it was more convenient for them to work. After 3 years of giving mild verbal warnings the auditor finally gave a 'strong' verbal warning that he should really write it down in his report but would give him a verbal one just one more time. The same behavior continued and the verbal warnings stayed verbal.

PwC audited them and you expect ..., seriously

PwC : The customer puts the cash in my brown paper bag.
Customer: Done. Please, stamp compliance document.
PwC: Done. Have a nice day.

Isn't that how they work?

Re: PwC audited them and you expect ..., seriously

Well, typically you show them your bookkeeping and a PDF of your accounts with their respective transactions. And they approve that. The problem is all those transactions you don't show them. Somehow they don't audit those and they tend to be the problematic ones (bribes, blood diamonds, business in North Korea, etc).

An audit is not complete ...

... if it not comprehensive

I used to work with Moody, an international recognize firm which stresses its independence

The audits that we had carried out must not do favor for any party, and must be comprehensive, over and beyond what has been described in the jobscope

Often we dug through many outside sources about the real nature of the client we were about to audit, before we even accepted them as a client

Audit

The technical term for this is "indulgence".

Re:The Facebook business model is broken

[findoutmoretoday]

The Cambridge Analytica leak shows us that Facebook has surprisingly no clue or hold on their assets. If user data is the product, that product is freely harvested by third parties outside the control of Facebook.

PwC

[monkeyxpress]

Right. So this is like how Carillion (a big construction conglomerate in the UK) became insolvent just months after KPMG had given them the green light in an audit (for which they took millions in fees). Or how the various ratings agencies gave CDOs investment grade ratings despite them being based on total junk.

I mean, it is just a sort of formalised corruption at this point. In south east asian they do it with brown paper bags under the table, over here they just buy the politicians so that what they are doing is fully 'legal' in the sense that it doesn't break any of the laws they have paid to get written.

At least in Asia there is some semblance of equality in that the intrinsic power structure is weakened at all levels by corruption (a regular prole can still buy off the local cop). In the west the rigid formalised power structure means that only those at the top get all the benefits of 'flexible' rules while the rest of us are kept under the thumb.

Re:PwC

And notice the operative work in your post - UK. PWC is a UK HQ'd company surprise surprise .. ahem deep state

Gee, I wonder

who paid for it, Facebook or the FTC?

Re:Gee, I wonder

[myid]

who paid for it, Facebook or the FTC?

I care more about who chose the auditing company.

The FTC should have chosen a company that specialized in testing the security of other companies. The FTC should have told the security company, "Test Facebook, send your results to us and to Facebook, send the bill to Facebook, and tell us if they give you any problems."

security audits utterly useless

[phantomfive]

Security audits and privacy audits are utterly useless for this case....Is the data secure? Is it private? The answer is no, and an audit like this is merely saying "we tried" even though in reality they weren't trying, they just wanted cya ability in court.

Fuck Slashdot

The right wing flamewars are getting very boring.

Grow up and open your eyes. There are important problems that need solving.

Makes no difference.

Even if they are properly audited, the situation stays the same.. their business model relies on collecting users data for advertising purposes.

The answer? Stop giving it to them and delete your account. Otherwise data will always be collected.

Re:Makes no difference.

And that data collected about people *will* eventually be abused.

Grab popcorn.. PwC just shot themselves

This will likely get downvoted but auditors exist base on one thing - trust. It's literally their bond. Any auditor that accepts a bribe effectively ends their career and if it can be proven their company had to have known their findings were false, they too will face the wrath. Can't get much worse if Facebooks case unless the US Senate fails to take any action against them and it's proven Facebook paid for it.

Although IT tends to laugh at them, audits are still a legally binding "thing" within some sectors. The last thing PwC or any other auditor wants is their own operations being investigated. This just opened a whole other can of worms. About time too.

Re:Grab popcorn.. PwC just shot themselves

Sorry, that's not how it works. If PWC, or anyone else, did any *REAL* audits they would very quickly find themselves with no clients, i.e., out of business. PWC and all other "auditors" are in the CYA and Plausible Deniability business. Period.

Their job is to issue a report that says "Everything is 100% Okey Dokey" and they employee a lot of lawyers who can do it in a way that contains all the proper legal mumbo-jumbo so that its unlikely they or their client will find themselves in any trouble.

Until audits are conducted by an independent agency, with no profit motive, audits will continue to be meaningless.

Re:Grab popcorn.. PwC just shot themselves

Sorry, that's not how it works. If PWC, or anyone else, did any *REAL* audits they would very quickly find themselves with no clients, i.e., out of business. PWC and all other "auditors" are in the CYA and Plausible Deniability business. Period.

Except audits are _required_ in many fields. An audit is legal assurance (and yes I realize the irony). It will be interesting if Facebook tries to punt their obligations (and presumably fines), to PwC. Would be like ratting on the mob, Zuckerberg wouldn't last too long.

I'd be pulling money out of their stock about now before Facebook execs dump it for their "retirements". Their current over inflated evaluation still amazes me.

Just say NO to FaceBook and all the other sites

that make out that they are 'social media'.
If millions and millions stop using them then their advertisers will take their corrupt $$$ elsewhere. Perhaps in time they might start to think about ethical advertising.

Until then FB and the like are blocked at my Firewall and All adverts are blocked in my browsers.
Go F**k yourself Zuck and company.

ShanghaiBill = fake name massive human fail

See subject: Your MASSIVE FAIL in this life is you're nothing more than a chattering little do-nothing "ne'er-do-well" online & you know it...

* Is that the best your "phantasyland FAKE NAME" (for your fake lie of a so-called 'life') can manage?

When a FAKE NAME do nothing like YOU does better than I have? Then talk (you're all talk & no action)...

You can't help you're an immature little BUTTHURT no-mind, lol! I blew you away in TONS OF PLACES and easily dust your no-mind bullshit blatherings.

APK

P.S.=> The TRUE PRICE of your UNIDENTIFIABLE FAKE NAME do-nothing selves like you that I can ALWAYS CASH IN ON (lol) is that I can use FACT/TRUTH on them to SHATTER their all TOO fragile delusional egos that they actually know A DAMN THING in computing, lol... apk

LOL

These firms are literally paid to cover shit up.

I've worked with all of them, and they are all well-educated prostitutes who do nothing but provide a veneer of credibility. Anyone remember Arthur Andersen?

Silicon Valley not that smart

After all we've seen, it is as clear as a bell how wrong the audit is. Just because Silicon Valley people can write some code (nothing special nowadays) they feel masters of the known universe... and they are simply a bunch of **sholes caught red handed.

Poor article & post - a fluff about nothing.

[orlanz]

The article and post play into the usual misunderstandings of what a true external audit is. A auditor NEVER gives a clean bill of health to ANYONE.

It would be the equivalent of saying "My 14 year old daughter is incapable of lying!" Or to hit closer to this group "This networked system is totally secure for the next 10 years!" No, those are stupid! Any competent IT guy would say "This system has all the latest patches and best industry practices to remain secure." They would check a few patches and see if they were applied quickly enough to come to that conclusion.

An auditor collects enough information from a client for an owner of the firm to provide a SECONDARY agreeing or decenting OPINION of the company's financial or security or operational position. The company can say "We are going bankrupt." and the auditor will say "I think they are right!"

operating with sufficient effectiveness to provide reasonable assurance

The key words that you will find in almost all audit work is "sufficient effectiveness" and "reasonable assurance". Which is complete true in this situation. Facebook doesn't have policies that give your data out to anyone. They don't violate their policies by doing such. A partner did really go above and beyond what they should have. Facebook failed to regulate such partner but may have had reasonable measures to prevent abuse.

Also, keep in mind that auditors are not here to catch the client in lies, nor catch collusion between people (reportee buys a car, mgr approves, they sell & split profits).

Basically the article is "Auditors did their job but it wasn't enough to prevent this."

Ease up on the auditors, look at the dates.

[sabbede]

The audit began in February 2015. In 2014, Facebook changed their API to remove the feature Cambridge exploited. In late 2015, Facebook realized what Cambridge had done.

So it doesn't look to me like the auditors weren't doing their job, it looks like they did their job, helped uncover what happened, and were still able to give Facebook the thumbs up because they had already fixed the problem months before the audit began.

Anyone surprised?

[f00zbll]

This is the same PWC that theoretically audited AIG before they went belly up with the financial crash. They also "audited" JPMC and then was fined for basically not doing their job. Seriously, PWC is who you hire when you want to report results without actually doing an audit. https://en.wikipedia.org/wiki/...

Audits are, effectively, useless

[OneHundredAndTen]

Those of us old enough remember the Arthur Andersen debacle only too well. The modus operandi is always the same: the companies carrying out the audit, usually requested by the companies being audited, simply do like the proverbial $25 whore.

Limited vocabulary

[Not-a-Neg]

Do none of these NYTimes twats know the word "scraping"? They seem Hell bent on trying to make what occurred appear like some l33t hacking operation.

Have We Learned Nothing From Enron?

[RonVNX]

If you've hired a "Big Accounting Firm", you've already failed. Alll those sleazeballs that advertise on the Sunday political shows? Do not hire them. Not ever. For anything. People who know, don't hire BDO. Or PWC, or any of the other "Big 4" Sleaze Firms.

Re:The Facebook business model is broken

[oh_my_080980980]

It shows Facebook doing business as usual. They knew about this in 2012 and did not care.

Re:The Facebook business model is broken

User data isn't the product user attention is.

User data, is used to facilitate the process of marketing user attention, but the actual product is the ability to put an ad where someone (ideally somone who might be interested in the ad) will actually see it.

A third party who scrapes Facebook's data but doesn't have facebook's users logging in hourly hasn't become a competitor tp Facebook.

Suckerberg bribed judges via contributions

Zuck bribed a majority of courts' panel of judges (by political contributions as Jew PACS do). He still had to apologize!

Mark Zuckerberg who STOLE facebook's code from the Winklevoss twins (who dusted him in court on it) calling his users "DUMB FUCKS" & spied on his collegiate classmates via 'fakebook', home of bots and spying/tracking you, now in court FRYING (rightfully so).

Khazar Talmudic Jews (zuck = jew) believe this of all they call goyim/gentiles (any non-jew): Jews = biggest racists of all for which they "jew guilt" you for no less! They're hypocrites known as thieves all thru history or were these nations banishing them a lie? Argentines in 1940 under Peron, France (1306), Egypt (despoiled/robbed by jews), Arabs (pre & post 1948), England (1330 Edward longshanks), Romans under titus, Russia pogroms, Spanish inquistion & Spain 1492 and Germany who got rid of them from their nations nazi german's too? No. Driven into DESERTS ages ago! Don't wonder why after all those exilings above. Should anyone doubt any of this see Jacob Javits' crony Rosenthal spill the beans on it https://www.youtube.com/watch?v=D4zMVZ8HnFI/ where he called all Christianity fools for helping Israel and the biggest scam of all time per their beliefs below from their Talmud. This is the province of the synagogue of Satan (Pharisees whom Jesus Christ himself kicked to the curb out of the temple & they killed him for it. Jeremiah did the same to them also + the Essenes could not stand them either breaking away from the pharisee corruption):

Maria Abramovic satanist spirit cooker pal of Hillary Clinton the Voodoo queen is a jew https://www.google.com/search?...

Like Hillary Clinton's mentor Saul Alinsky author of rules for radicals book dedicated to Lucifer

John Podesta Hillary's pal again, is another JUDE with a pedophile brother (both = satanists too imo).

"Most Jews do not like to admit it, but our god is Lucifer â" so I wasnâ(TM)t lying â" and we are his chosen people. Lucifer is very much aliveâ Harold Rosenthal http://www.thetruthseeker.co.u...

Jewish rabbi openly admits to satan worship use white children's blood they kill for passover bread (which THIS video covers in detail https://www.youtube.com/watch?v=eU8Y1743QoY/ & how they ran the black slave trade + how they say a prayer to KILL US ALL (goyim) during passover), infiltrating and subverting the catholic church, creating the Jesuit order https://www.youtube.com/watch?... and https://www.youtube.com/watch?...
or https://www.youtube.com/watch?... too!

Barbara Spectre, a jew, tells everyone it's jews orchestrating the muslim migrant problem in Europe https://www.youtube.com/watch?v=MFE0qAiofMQ/ . No migrant raping of women in Poland. Tons in Sweden. Do the math. Use common-sense. This is to get muslims and other goyim/gentiles to wipe one another out as incompatible cultures that will clash and always have.

Rabbi A. Finkelstein ADMITS their greatest enemies are ARABS and WHITES (blacks too) whom they wish to kill one another in a 'theater of war' which they find AMUSING https://www.youtube.com/watch?...

Finkelstein also admits JEWS DID 9/11 (perpetrated by the Mossad & Bebe Netanyahu of ISRAEL) https://www.youtube.com/watch?... profiti

Of course it did

[argStyopa]

It didn't audit as a "leak" because it WASN'T A LEAK?

This was the facebook API working essentially as intended. To a malign purpose (ie helping Trump) and to a degree in excess of what the researcher was expected to pull, but this was in no sense someone 'hacking' fb's systems to get information that wasn't intended to be collected somehow.